United Kingdom

Chief Constable of the Police Service of Scotland

75,700 €

GDPR enforcement action by Information Commissioner (ICO) on 2025-12-12.

Rank · Sector

#49

of 357 in Public Sector and Education

Rank · United Kingdom

#22

of 28

Rank · All fines

#544

of 3,050

Case details

Authority: Information Commissioner (ICO)
Date: 2025-12-12
Controller / Processor: Chief Constable of the Police Service of Scotland
Sector: Public Sector and Education
Quoted Articles: Art. 5 (1) c), f) GDPR, Art. 25 (1), (2) GDPR, Art. 32 (1) GDPR, Art. 33 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The UK DPA has imposed a fine of £66,000 (EUR 75,700) on the Chief Constable of the Police Service of Scotland. The processor executed a mass download from the mobile telephone of a private individual during the course of a police investigation, thereby contravening regional data protection legislation. After the investigation concluded, the data was forwarded to another investigative entity for a misconduct investigation into a third party, who was provided with the entire download from the data subject's phone. The controller failed to implement adequate technical and organisational measures to prevent the disclosure of personal data to unauthorised third parties. Additionally, the controller failed to comply with the principles of data minimisation. Furthermore, the controller failed to inform the DPA of the data breach.

Open original source Links to the regulator's original publication or another source.